Financial Institutions Scramble for Compliance with Internet Banking Security Mandates as Multi-Factor Authentication Deadline Looms
Risk Assessment is First Step in Authentication Process
Due to the increasing frequency of identity thefts via Internet banking, federal regulators are requiring all financial institutions to implement a multi-factor authentication (MFA) system by December 31, 2006. With 52 million Internet banking records reported lost in 2005 alone, the move to make layered security changes is necessary and commendable, albeit challenging, according to Raj Patel, a partner in the Technology Consulting and Solutions practice at Midwest-based Plante & Moran PLLC.
“MFA mandates will require on-line bank customers to submit another form of identification, in addition to their logon password, when logging into an Internet banking site,” explains Patel. “That’s a good idea in theory, but in practice it has banks struggling with implementation because a practical and cost-effective solution is not readily available.”
Patel notes that token devices and smart cards, currently in use for commercial customers, can be used to satisfy the requirement but are extremely expensive to implement for consumers. At the same time, the more cost-effective solutions are confusing and fail to fully meet MFA requirements.
“Some banks are initially implementing solutions that track the identification of the desktop that a customer uses to log onto his Internet banking site, but such tracking does not address the situation of a customer logging in from a work computer,” says Patel. “Accordingly, banks would then opt to ask user-specific questions to verify identity.”
Patel points out that product solutions are actually the second piece of the MFA process; the first step towards MFA compliance is risk assessment. Patel is advising his banking clients to use one of three risk assessment approaches, depending on the bank’s overall multi-factor security strategy, and has created a proprietary risk assessment template to aid clients in determining which authentication approach is best.
“The majority of our community bank clients will use a gateway authentication approach, which sets one consistent level of authentication for all customers upon entry to the Internet banking site,” comments Patel. “A zone-based authentication approach segments the Internet banking site into several risk zones, such as bill payment and account balance review, and requires consistent authentication in the same risk zone. The third approach, transaction-based authentication, assesses the risk of each transaction activity, such as a wire transfer or bill payment, and adjusts authentication in real-time.”
Patel concludes that whatever risk assessment approach or implementation option a bank selects, multi-factoring authentication is certain to add another step to the on-line banking process for consumers.
Plante & Moran (www.plantemoran.com) is one of the country’s leading accounting and business advisory firms providing clients with financial, human capital, operations, strategy, technology, and family wealth management services. With more than 1,500 staff members, the firm has offices throughout Michigan, Ohio, and Illinois, and in Nashville, Tennessee and Shanghai, China. Plante & Moran has been recognized by a number of organizations, including FORTUNE magazine, as one of the country’s best places to work.